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DETAILED ACTION 

1 . Claims 1-3, 5-7, and 9-20 have been examined. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-4 are rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton U.S. 
Pat. No. 5469556 (hereinafter Clifton) in view of Negishi et al. U.S. Pat. No. 6571278 
(hereinafter Negishi) and fiirther in view of Sampson et al. U.S. Pat. No. 6339423 (hereinafter 
Sampson). 

As per claim 1, Clifton discloses a computer-readable medium having 
computer-executable instructions for protecting domain data against unauthorized modification 
(Clifton: column 2 line 28 - column 4 line 34: provide resource access security system), 
comprising: receiving a request to modify an object (Clifton: colunrn 3 line 67 - column 4 line 8: 
user information related to the requested resources), the object including a security descriptor 
identifying an owner domain in the plurality of domains (Chfton: column 3 lines 8-52: using the 
resource descriptor. . .and identify the domain); determining whether the user is within the owner 
domain by retrieving from the security descriptor the identity of the owner domain and 
comparing the owner domain identity to the domain within which the first computing machine 
resides (Chfton: column 3 line 54 - column 4 line 8: the requester's information and the domain 
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table; column 3 line 18 - column 4 line 26: use the domain information to determine access); and 
if the user is not within the owner domain, rejecting the request to modify the object (Clifton: 
column 4 lines 18-25: access is only permitted to the resource identified by the user/job, domain, 
and page information). CUfton does not explicitly disclose the receiving at a first computing 
machine a request to modify an object associated with a shared data structure and plurality of 
computers involved in the network. However, Negishi discloses that limitation (Negishi: column 
2 lines 26-42: receiving modification request). The user disclosed by Clifton can be represented 
by computers disclosed by Negishi to apply to the data sharing security system. It would have 
been obvious to one having ordinary skill in the art to combine the teachings of Negishi within 
the system of Clifton because it increases network security by first identifying the security of the 
requester. The combination of Clifton-Negishi does not explicitly disclose the shared data 
structure spanning a plurality of domains. However, Sampson discloses that limitation 
(Sampson: figure 1 and 2 and column 4 lines 14-56). It would have been obvious to one having 
ordinary skill in the art to combine the teachings of Sampson within the combination of Clifton- 
Negishi because it decreases the number of authentication process performed by each domain 
when a user wishes to access resources fi-om multiple domains. 

As per claim 2, the combination of Clifton-Negishi-Sampson discloses the 
computer-readable medium of claim 1. Clifton fiirther discloses if the first computing machine is 
within the owner domain, allowing the request to modify the object (Clifton: colunm 4 lines 18- 
25: access is only permitted to the resource identified by the user, domain, and page 
information). 
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As per claim 3, the combination of Clifton-Negishi-Sampson discloses the computer- 
readable medium of claim 1. Negishi further discloses the shared data structure includes at least 
one data store that is replicated among each of the plurality of domains, and wherein the object is 
contained within the replicated data store (Negishi: column 2 lines 25-42: the replica of the 
shared data; column 4 lines 27-39: the number of computers is not limited to two). It would have 
been obvious to one having ordinary skill in the art to combine the teachings of Negishi within 
the combination of Clifton-Negishi-Sampson because it prevents modification conflict to take 
place on the actual data by resolving the conflict detected in the replicated shared file storage. 

4. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over CUfton in view of 
Negishi and fiirther in view of Sampson and fiirther in view of Dockter et al. U.S. Pat. No. 
6295605 (hereinafter Dockter). 

As per claim 5, the combination of Clifton-Negishi-Sampson discloses the computer- 
readable medium of claim 1. Clifton-Negishi-Sampson does not expHcitly discloses the security 
descriptor fiirther comprises a field that indicates whether a special security evaluation should be 
performed on requests to modify the object, and wherein the computer executable instructions 
fiirther comprise, if the field indicates that the special security evaluation should be performed, 
causing the special security evaluation to be performed. However, Dockter discloses that 
limitation (Dockter: column 3 lines 30-38: system resource/object are assigned classification 
level; column 4 line 43 - column 5 line 23: fiirther security evaluation is required if the 
preceding evaluation cannot determine the access). It would have been obvious to one having 
ordinary skill in the art to include information in the security descriptor to indicate further 
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security evaluation is required when previous security evaluation cannot determine access to 
resource. Therefore, it would have been obvious to one having ordinary skill in the art to 
combine the teachings of Dockter within the combination of Clifton-Negishi-Sampson because it 
increases the efficiency in evaluating access security. 

5. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over CUfton in view of ' 
Negishi and further in view of Sampson and further in view of Dockter and further in view of 
Goertzel et al. U.S. Pat. No. 6308273 (hereinafter Goertzel). 

As per claim 6, the combination of Cliflon-Negishi-Sampson-Dockter discloses the 
computer-readable medium of claim 5. CUfton-Negishi-Sampson-Dockter does not expHcitly 
disclose the special security evaluation comprises causing requesting that a second computing 
machine within the owner domain evaluate whether an entity issuing the request to modify the 
object is authorized to modify the object. However, Goertzel discloses that limitation (Goertzel: 
column 5 lines 31-67: check the location and domain of the requesting computer). It would have 
been obvious to one having ordinary skill in the art to combine the teachings of Goertzel within 
the combination of Chflon-Negishi-Sampson-Dockter because it increases network resource 
security by limiting access to uncertain domains. 

6. Claims 7-12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton in 
view of Goertzel and further in view of Negishi and further in view of Dockter. 

As per claim 7, Clifton discloses a computer-implemented method for protecting domain 
data against unauthorized modification (CUfton: column 2 line 28 - column 4 line 34: provide 
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resource access security system), comprising: receiving a request from an user in a first domain 
to modify an object, the request identifies at least one group of which the requester is a member 
(CHfton: column 3 line 54 - column 4 line 8: the requester's information and the domain table), 
the object having an associated security descriptor identifying an owner domain for the object 
(Clifton: column 3 lines 8-52: using the resource descriptor... and identify the domain). Clifton 
does not exphcitly disclose security token identifying at least one group of which the requester is 
a member. However, Goertzel discloses that hmitation (Goertzel: colunm 9 lines 5-43: the access 
token has security identifier based on user's credentials and group ID). It would have been 
obvious to one having ordinary skill in the art to combine the teachings of Goertzel within the 
system of Clifton because it allows first level security evaluation to be performed based on the 
user's credentials. The combination of Clifton-Goertzel does not explicitly disclose the receiving 
at a first computing machine a request to modify an object associated with a shared data structure 
and plurality of computers involved in the network. However, Negishi discloses that limitation 
(Negishi: column 2 lines 26-42: receiving modification request). It would have been obvious to 
one having ordinary skill in the art to replace user/job disclosed by Clifton by computers 
disclosed by Negishi to apply to the data sharing/network security system. Therefore, it would 
have been obvious to one having ordinary skill in the art to combine the teachings of Negishi 
within the combination of Clifton-Goertzel because it increases network security by first 
identifying the security of the requester. The combination of Clifton-Goertzel-Negishi does not 
explicitly disclose the object having a flag to identify whether a special security evaluation is to 
be performed on requests to modify the object; determining from the flag whether the special 
security evaluation is to be performed on the request to modify the object; if the flag indicates in 
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the affirmative, then performing the special security evaluation on the request to modify the 
object by passing the security token associated with the request and the security descriptor 
associated with the object to the ovraer domain for evaluation; and if the special security 
evaluation approves the request to modify the object then allowing the request to modify the 
object to proceed. However, Dockter discloses that limitation (Dockter: column 3 lines 30-38: 
system resource/object are assigned classification level; column 2 lines 31-50: acquire 
quahfication data regarding to the access request; column 4 line 43 - column 5 line 23: further 
security evaluation is required if the preceding evaluation cannot determine the access). It would 
have been obvious to one having ordinary skill in the art to include information in the security 
descriptor to indicate further security evaluation is required when previous security evaluation 
cannot determine access to resource. Therefore, it would have been obvious to one having 
ordinary skill in the art to combine the teachings of Dockter within the combination of Clifton- 
Goertzel-Negishi because it increases the efficiency in evaluating access security. 

As per claim 9, the combination of Cliflon-Goertzel-Negishi-Dockter discloses the 
method according to claim 7. Dockter further discloses if the flag indicates in the negative, then 
performing a security evaluation on the request to modify the object (Dockter: column 4 line 45 
- column 5 line 23: continue evaluation if the previous evaluation result is undetermined). It 
would have been obvious to one having ordinary skill in the art to combine the teachings of 
Dockter within the combination of Cliflon-Goertzel-Negishi because it allows the system to 
avoid further evaluation if the requester cannot pass basic evaluations. 
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As per claim 10, the combination of Clifton-Goertzel-Negishi-Dockter discloses the 
method according to claim 9. Goertzel further discloses the security evaluation comprises 
comparing the security token with the security descriptor to determine whether the requester is a 
member of any groups that have been granted permission to access the object (Goertzel: column 
9 lines 5-43). It is obvious to one having ordinary skill in the art to adopt different types of 
security evaluation based on different user information. Therefore, it would have been obvious to 
one having ordinary skill in the art to combine the teachings of Goertzel within the combination 
of Clifton-Goertzel-Negishi-Dockter because it is well known in the art to execute access control 
based on user information/credentials as well as user's security level. 

As per claim 11, the combination of Clifton-Goertzel-Negishi-Dockter discloses the 
method according to claim 10. Negishi further discloses the security evaluation further comprises 
determining whether the request to modify the object is a modification for which the requester is 
privileged on the first machine regardless of whether the requester is a member of any groups 
that have been granted permission to access the object (Negishi: column 3 lines 1-45: the 
security evaluation is based on the classification level of the users). It would have been obvious 
to one having ordinary skill in the art to combine the teachings of Negishi within the 
combination of Clifton-Goertzel-Negishi-Dockter because it is well known in the art to execute 
access control based on user information/credentials as well as user's security level. 

As per claim 12, the combination of CHfton-Goertzel-Negishi-Dockter discloses the 
method according to claim 11. Goertzel further discloses the security evaluation further 
comprises if the requester is privileged to perform the request to modify the object, and the 
requested modification is a fundamental modification of the object, then denying the request if 
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the first domain is not the owner domain for the object (Goertzel: column 1 line 55 - column 2 
line 10; column 5 lines 1 1-67: the normal access token is restricted if the user is not within the 
domain or location authorized by the system). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Goertzel within the combination of Clifton-Goertzel- 
Negishi-Dockter because it prevents unauthorized parties to access network resources through 
unauthorized links. 

7. Claims 13 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Sampson in view of Negishi and further in view of Clifton. 

As per claim 13, Sampson discloses a computer-readable medium having 
computer-executable components to protect domain data against unauthorized modification 
(Sampson: column 3 lines 20-43: access control system); comprising: a shared data structure that 
spans a plurality of domains (Sampson: column 4 lines 13-21: multiple domains), at least two 
domains in the plurality of domains having a transitive trust relationship wherein a user 
authentication within one of the two domains is honored in the other of the two domains 
(Sampson: column 3 lines 20-33). Sampson does not explicitly disclose the shared data structure 
having at least one data store that is replicated among each of the plurality of domains. However, 
Negishi discloses that limitation (Negishi: column 2 lines 29-31: replica of shared data; column 4 
lines 27-39: the number of computer is not limited to two and same components are provided to 
both computers so that means each computer has a replica or shared data). It would have been 
obvious to one having ordinary skill in the art to combine the teachings of Negishi within the 
system of Sampson because it prevents modification conflict to take place on the actual data by 
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resolving the conflict detected in the repHcated shared file storage. The combination of Sampson- 
Negishi does not explicitly disclose an object stored within the data store, the object having a 
plurality of attributes, at least one of the attributes being related to security access rights 
associated with the object, the security access rights including an ovraer domain identifier 
identifying one of the domains within the plurality of domains. However, Cliflon discloses those 
limitations (Clifton: column 3 lines 8-52). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Cliflon within the combination of Sampson-Negishi 
because it increases security by prohibiting users from accessing data based on their domain 
information. Negishi further discloses 

a security system configured to receive a request to modify the object (Negishi: column 2 lines 
29-31: a receiver for receiving modification request). It would have been obvious to one having 
ordinary skill in the art to combine the teachings of Negishi within the combination of Sampson- 
Negishi-Cliflon because it is obvious to receive an access request before the system can execute 
access control. Cliflon further discloses to retrieve from the object the owner domain identifier, 
to compare the owner domain identifier with an identifier of a domain from which the request 
originated, and to reject the request to modify the object if the owner domain identifier does not 
match the identifier of the domain from which the request originated (CUfton: column 3 line 53 - 
column 4 line 26). Same rationale applies here as above. 

As per claim 20, the combination of Sampson-Negishi-Cliflon discloses the computer 
readable medium according to claim 13. Cliflon further discloses the at least one attribute 
comprises a security descriptor, and the owner domain identifier is part of an owner security 
identifier (Cliflon: column 3 lines 8-53). It would have been obvious to one having ordinary 
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skill in the art to combine the teachings of Clifton within the combination of Sampson-Negishi- 
Clifton because it increases security by prohibiting users from accessing data based on their 
domain information. 

8. Claims 14 and 15 are rejected under 35 U.S. C. 103(a) as being unpatentable over 
Sampson in view of Negishi and further in view of Clifton and fiirther in view of Jiang et al. U.S. 
Pat. No. 6453354 (hereinafter Jiang) and fiirther in view of Gupta et al. U.S. Pat. No. 6226752 
(hereinafter Gupta). 

As per claim 14, the combination of Sampson-Negishi-Chfton discloses the computer 
readable medium according to claim 13. Sampson-Negishi-Clifton does not explicitly disclose 
the security access rights associated with the object fiirther comprise an indicator that an attempt 
to access the object is to be evaluated within the domain identified by the owner domain; and the 
security system is fiirther configured to, prior to performing a security evaluation on a received 
request to modify the object, determine from the indicator whether the request to modify the 
object should be evaluated within the domain identified by the owner domain, and if so, to retum 
a notification to the requestor that the security evaluation is to be evaluated within the domain 
identified by the owner domain. However, Jiang discloses access request to file system is 
forwarded to owner of the file if the request is not received by the owner of the file system 
(Jiang: column 13 lines 4-61). It would have been obvious to one having ordinary skill in the art 
to combine the teachings of Jiang within the combination of Sampson-Negishi-Clifton because it 
prevents a system from processing a request that it's not capable of processing. Jiang also 
discloses the first system forwards the request to another file system if it's not the owner of the 
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requesting file. Jiang does not explicitly disclose redirecting the requestor to another system. 
However, Gupta discloses that limitation (Gupta: column 14 line 65 - column 15 line 35: redirect 
the client requestor to the second server). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Gupta within the combination of Sampson-Negishi- 
Clifton- Jiang because it allows direct communication between two parties. 

As per claim 15, the combination of Sampson-Negishi-Clifton-Jiang-Gupta discloses the 
computer-readable medium according to claim 14. Gupta further discloses the notification to the 
requester comprises a referral message including an identification of the owner domain (Gupta: 
column 12 lines 13-24: redirect message). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Gupta within the combination of Sampson-Negishi- 
Clifton- Jiang-Gupta because it helps the requestor to connect to the second server without much 
interaction. 

9. Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of Clifton and further in view of Goertzel. 

As per claim 16, the combination of Sampson-Negishi-Clifton discloses the computer 
readable medium according to claim 13. Sampson-Negishi-Clifton does not explicitly disclose 
the security system if further configured to determine whether the request to modify the object 
originated within a particular domain of the plurahty of domains, and if so, then to perform a 
standard security evaluation of the request to modify the object without resort to the owner 
domain. However, Goertzel discloses that limitation Goertzel: column 1 line 55 - column 2 line 
10; column 5 lines 1 1-67: the normal access token is restricted if the user is not within the 



Application/Control Number: 09/663,811 Page 13 

Art Unit: 2131 

domain or location authorized by the system). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Goertzel within the combination of Sampson-Negishi- 
Clifton because it prevents unauthorized parties to access network resources through 
unauthorized links and it enhances security measures if the request is not originated from 
authorized domains or locations. 

10. Claim 17 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of CHfton and further in view of Goertzel and further in view of 
Bellovin et al. U.S. Pat. No. 5805820 (hereinafter Bellovin). 

As per claim 17, the combination of Sampson-Negishi-Clifton-Goertzel discloses the 
computer readable medium according to claim 16. Sampson-Negishi-Clifton-Goertzel does not 
explicitly disclose the particular domain is a root domain of the shared data structure. However, 
Bellovin discloses that limitation (Bellovin: column 3 lines 16-59 and figures 1 and 3: the root 
domain has the highest level of authority for domain names). It would have been obvious to one 
having ordinary skill in the art to combine the teachings of Bellovin within the combination of 
Sampson-Negishi-Clifton-Goertzel because since root domain has the highest level of authority, 
it has the authority to process all of the access requests. 

11. Claim 18 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and fixrther in view of Clifton and fiirther in view of Antur et al. U.S. Pat. No. 
6243815 (hereinafter Antur). 
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As per claim 18, the combination of Sampson-Negishi-Clifton discloses the computer 
readable medium according to claim 13. Sampson-Negishi-Clifton does not explicitly disclose 
the shared data structure comprises a directory service and wherein the at least one data store 
comprises configuration data associated with the directory service. However, Antur discloses 
that limitation (Antur: column 2 lines 35-49: storing configuration data by network directory 
service server). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Antur within the combination of Sampson-Negishi-Clifton because it improves 
firewall configuration by updating and reconfiguring network firewall at a single administration 
point. 

12. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of Clifton and further in view of Lumelsky et al. U.S. Pat. No. 
6466980 (hereinafter Lumelsky). 

As per claim 19, the combination of Sampson-Negishi-Clifton discloses the computer 
readable medium according to claim 13. Sampson-Negishi-Clifton does not explicitly disclose 
the shared data structure comprises a directory service and wherein the at least one data store 
comprises schema data associated with the directory service. However, Lumelsky discloses that 
limitation (Lumelsky: column 9 line 22 - column 10 line 3: replica directory maintained by 
directory service. . .including schema and data). It would have been obvious to one having 
ordinary skill in the art to combine the teachings of Lumelsky within the combination of 
Sampson-Negishi-Clifton because provides adaptive resource management function for 
distributed resources that could shape system capacity to the needs of the environment. 
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Response to Arguments 

13. Applicant's arguments filed 7/22/2004 have been fully considered but they are not 
persuasive. 

Regarding to the argimients, applicant argues the references do not teach retrieving fi-om 
the security descriptor the identity of the owner domain and comparing the owner domain 
identity to the domain within which the first computing device resides. However, Clifton 
discloses that limitation in column 3 lines 14 - colunrn 4 line 26 by stating that the domain tables 
are used to obtain the particular domain of the user and the access is only permitted to the 
resource identified by the user, domain and page information. On the other hand, the applicant 
argues that passing the security token associated with the request and the security descriptor 
associated with the object to the owner domain for evaluation is not disclosed. However, Dockter 
discloses that limitation in column 2 lines 31-50 by first determining the security level of the 
resource and authenticate the user based on the user's qualifications. Therefore, the applicant's 
arguments are respectfiilly traversed. 

Conclusion 

14. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS fi-om the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
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the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Shin-Hon Chen whose telephone number is (571) 272-3789. The 
examiner can normally be reached on Monday through Friday 8:30am to 5:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Shin-Hon Chen 
Examiner 
Art Unit 2131 
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